Key expansion for qkd

ABSTRACT

A method of encrypting information using an encryption pad based on keys exchanged between quantum key distribution (QKD) stations is disclosed. The method includes establishing raw keys between two stations using QKD, processing the keys to establish a plurality of matching privacy amplified keys at each station and buffering the keys in a shared key schedule. The method also includes the option of expanding one or more of the keys in the shared key schedule using a stream cipher to create a supply of expanded keys that serve as pads for one-time-pad encryption.

CLAIM OF PRIORITY

This patent application claims priority from U.S. Provisional PatentApplication No. 60/445,805, filed on Feb. 7, 2003.

TECHNICAL FIELD

The present invention relates to quantum cryptography, and in particularrelates to key expansion methods applied to keys established betweenquantum key distribution (QKD) stations for the purpose of formingone-time pads for sending encrypted information between the QKDstations.

BACKGROUND ART

Quantum key distribution involves establishing a key between a sender(“Alice”) and a receiver (“Bob”) by using weak (e.g., 0.1 photon onaverage) optical signals transmitted over a “quantum channel.” Thesecurity of the key distribution is based on the quantum mechanicalprincipal that any measurement of a quantum system in unknown state willmodify its state. As a consequence, an eavesdropper (“Eve”) thatattempts to intercept or otherwise measure the quantum signal willintroduce errors into the transmitted signals, thereby revealing herpresence.

The general principles of quantum cryptography were first set forth byBennett and Brassard in their article “Quantum Cryptography: Public keydistribution and coin tossing,” Proceedings of the InternationalConference on Computers, Systems and Signal Processing, Bangalore,India, 1984, pp. 175-179 (IEEE, New York, 1984). A specific QKD systemis described in U.S. Pat. No. 5,307,410 to Bennet (the '410 patent).

The Bennett-Brassard article and the '410 patent each describe aso-called “one-way” QKD system wherein Alice randomly encodes thepolarization of single photons, and Bob randomly measures thepolarization of the photons. The one-way system described in the '410patent is based on two optical fiber Mach-Zehnder intefFerometers.Respective parts of the interferometer are accessible by Alice and Bobso that each can control the phase of the interferometer. The signals(pulses) sent from Alice to Bob are time-multiplexed and followdifferent paths.

U.S. Pat. No. 6,438,234 to Gisin (the '234 patent), which patent isincorporated herein by reference, discloses a so-called “two-way” QKDsystem that is autocompensated for polarization and thermal variations.The two-way system is based on a folded interferometer wherein theoptical pulses traverse the same path through the interferometer, butwith a time-delay.

The general operation of a QKD system is described in the book byBouwmeester, Ekert and Zeilinger (Eds.) entitled “The physics of quantuminformation,” Springer-Verlag (2001), section 2.3. In the operation ofthe two-way phase-encoding system of the '234 patent, Bob generates asingle optical pulse and forms therefrom two coherent pulses P1 and P2that travel to Alice with a time delay between the pulses. Aliceattenuates the pulses to make them weak and then randomly phasemodulates one of the pulses (say P1). Alice also reflects the pulseswith a Faraday mirror so that the polarization of each pulse is rotatedby 90° before returning to Bob. The pulses return to Bob and in doing sotraverse the same round-trip path through the interferometer but indifferent order. Bob then randomly phase-modulates the yet-unmodulatedpulse P2, and recombines the now-modulated pulses P1 and P2. Thecombined pulses interfere, and the result of the interference isdetected in one of two detectors, depending on the respective phasesimparted to pulses P1 and P2 by Alice and Bob, respectively. Thedetected pulses constitute Bob's measured qubits.

After a sufficiently large number of qubits are exchanged between Boband Alice, Bob and Alice publicly compare the basis used to encode eachphoton, and also discard photons that did not arrive at Bob or Alice.Alice and Bob keep only those qubits corresponding to the samephase-encoding basis. This forms the sifted key. Alice and Bob thenchoose at random some of the qubits in the sifted key to test for errorsthat reveal the presence of an eavesdropper. These test qubits are thendiscarded. If there are no errors, the remaining qubits form the sharedkey. At this point, an operation called “privacy amplification” istypically performed. This operation involves deducing the number of bits(ζ) by which the (error-corrected) key k_(N) of n bits needs to beshortened so that any information an eavesdropper has about the finalkey k_(F) is lower than a specified value. Privacy amplification furtherincludes forming a binary matrix K of dimension (n−ζ)×n, publiclysharing this matrix, and then performing k_(F)=K·k_(N) (mod 2) to arriveat the final key k_(F).

Finally, an authentication step is typically performed wherein apreviously shared authentication key or code is used to ensure that theAlice is really Alice and Bob is really Bob. This authentication stepcan be performed at any point in the key exchange process.

Using the above-described processes, the final key k_(F) has a givenlength. The length of the key k_(F) dictates the amount of informationthat can be encrypted. The secure key rate from a QKD system is usuallytoo low for commercially available data transmission lines if one-timepad encryption is being used. Also, the achievable data bandwidth isvery low and is limited by the key generation rate, which is around 1-10kbps with present technology. The technology of the present invention,set forth below, presents a method that allows QKD to encrypt broadbandstreams of data (up to 10 Gbps or more), thus providing a method forexpanding the key without having to send additional photons over thesystem.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow diagram that provides an overview of the QKD processesof the present invention;

FIG. 2 is a flow diagram illustrating key sifting as run on Alice'scomputer;

FIG. 3 is a flow diagram that continues from the flow diagram of FIG. 2,and which illustrates key shuffling using a modified Cascade protocol onAlice's computer;

FIG. 4 is a flow diagram that continues from the flow diagram of FIG. 3,and that illustrates an example embodiment of generating an error-freekey on Alice's computer, based on performing privacy amplification ofthe shuffled key;

FIG. 5 is a flow diagram that illustrates an example embodiment ofperforming key sifting on Bob's computer;

FIG. 6 is a flow diagram that continues from the flow diagram of FIG. 5,and that illustrates an example embodiment of key shuffling using amodified Cascade protocol on Bob's computer;

FIG. 7 is a flow diagram that continues from the flow diagram of FIG. 6,and that illustrates an example embodiment of generating an error-freekey on Bob's computer by performing privacy amplification of theshuffled key;

FIG. 8 is a flow diagram illustrating an example embodiment ofperforming key expansion on a privacy amplified key;

FIG. 9 a is a diagram of an exemplary key schedule for “Pad ExpansionFlag”=0, for the case when AES in CTR mode is used; and

FIG. 9 b is a diagram of an exemplary key schedule for “Pad ExpansionFlag”=1, for the case when AES in CTR mode is used.

DETAILED DESCRIPTION OF THE INVENTION

The present invention has industrial utility in the fields of quantumcryptography, quantum key distribution, and data encryption. Inparticular, the present invention has industrial utility in combiningquantum, cryptography and classical cryptography. The present inventionprovides protection from not only eavesdroppers that utilize passivetapping of transmitted information from a carrier such as, but notlimited to, an optical photon, but from any type of intrusion attackincluding involved active types of attacks wherein an eavesdropperprobes the Alice and Bob nodes (stations) using a probe signal sentthrough an optical fiber used to transmit data.

As described in greater detail below, the present invention includes amethod for generating a cryptographically secure key between twostations. An example method includes exchanging single photon signalsbetween two QKD stations to establish a plurality of matching raw keysat each station. The method also includes processing the raw keys usingerror correction and privacy amplification, to establish matchingprivacy amplified keys at each station. The method also includesbuffering the privacy amplified keys at each station to form matchingkey schedules. The method further includes forming at least one expandedkey from a key selected from the key schedules, wherein the expanded keyserve as a one-time pad to encrypt information to be exchanged betweenthe two stations.

The discussion below assumes that the eavesdropper (“Eve”) is unlimitedin her technological resources. The system is optimized to providemaximal key generation rate in unconditional security regime. As anexample, the system described herein can be implemented on a PentiumIII, 500 MHz machine or better machines (assuming that quantum layerclock does not exceed 10 MHz), and also on a digital signal processor(DSP). A communication channel of approximately 10 Mbit/s may beutilized (depending on quantum layer clock rate and optical channellength).

Also, in the discussion below, the term “key” is interchangeable with“pad” when the pad is the same length as the key. However, generallyspeaking, a key is used to form a pad, say by generating a string ofbits to be used for data encoding. In this case, the pad has a differentlength (i.e., number of bits) than they key and is not the same as thekey per se. However, in the discussion below, an “expanded key” is usedas a pad for one-time pad encryption. Also, the term “expanded pad” isused below and is the same as the “expanded key.” The term “expandedpad” is used to denote a pad that is expanded over a pad that would beformed from an unexpanded key.

In an example embodiment, the method of present invention includes anumber of main algorithmic parts, including sifting, error correction,privacy amplification and key expansion (or no key expansion). The errorcorrection protocol is optimized to reveal as few bits on the publicchannel as possible. In addition, the error correction protocol utilizesencryption (preferably one-time pad) of bits sent over the publicdiscussion (PD) layer.

The privacy amplification method utilized herein implements amultiplication by a random binary matrix. The matrix multiplication ispreceded by cryptographically strong sifted key shuffling. The keyexpansion step uses a stream cipher.

QKD Process Overview

FIG. 1 is a flow diagram that provides a general overview of the QKDprocess according to the present invention. With reference to FIG. 1, tostart a quantum key distribution (QKD) process, the two parties involved(Alice and Bob) share initial secret information that is required forauthentication of a sifting procedure. In the sifting stage, the twoparties involved in QKD exchange basis and single-photon detector‘click’ information.

In order to ‘fight quantum memory’ the sifting process is started with adelay of >1 s after bits are detected. Bob (the party ultimatelyreceiving photons) sends Alice (the party sending photons) informationabout click time slots and basis information for positions of theclicks. Alice responds with a stream of bits encoding the ‘correct’bases for the ‘clicks’. Both parties disregard the bits with ‘wrong’bases.

The sifting procedure is authenticated. For this purpose, Alice and Bobform a string of bits that they are sending/receiving in pre-agreed formand calculate message authentication code (MAC) values of the string. Ifthe latter values coincide, Alice and Bob proceed to the errorcorrection protocol. If the MAC values to not coincide, they issue anintrusion or “attack alert.”

Authentication may be performed by means of any strong authenticationprocedure. Preferable procedures are the unconditionally secure messageauthentication codes (for example, UMAC).

Other possible authentication procedures can be based on hash functionSHA, RIPEMD (or other) based HMAC. The latter case is notunconditionally secure. However, the parties can decide toencrypt/partially encrypt the MAC by using a one-time pad with theabsolutely secure key they possess. This removes any possibility ofcracking the authentication. It is preferable to use some kind ofencryption for the whole sifting procedure, for example AES or TDES.

With continuing reference to FIG. 1, the sifted key is buffered until itreaches a number of bits high enough (e.g., 10ˆ5 bits or more) to runthe error correction protocol. Cryptographically strong shuffling isthen performed on the sifted key stored in the buffer. Both parties(i.e., Alice and Bob) use the same seed for the shuffling procedure,which they take from their absolutely secure key buffer. In this way, aneavesdropper has no information on a shuffling result. The seed isrefreshed at pre-agreed time moments. The shuffling step is utilized torandomize the positions of errors that are needed for realization of anefficient error correction protocol, to erase (preferably to a very highdegree) eavesdropper's information on specific bit positions in thesifted key, and to prepare the sifted key for the privacy amplificationprocedure.

The shuffling step is a security enhancement to the standard BB84protocols and in an example embodiment may be skipped if all the datatransmitted over public channel is encrypted.

The error correction utilized by the system is characterized, amongother ways, by the party correcting the errors deciding on a number ofpasses of a Cascade protocol based on a hash value provided by anotherparty. After each pass through the Cascade protocol, the partycalculates the hash value on its buffer and compares it to the receivedvalue. When the hash values coincide, the Cascade is stopped. If thevalues do not coincide, then another pass of Cascade is performed. Inthis way, fewer bits have to be sent over the public channel, and theprobability of failure of Cascade to correct some errors is effectivelyzero. In general, any hash function with good mixing properties may beused (e.g., SHA, MD5). Another modification of the Cascade processincludes encrypting parity bits sent over the public discussion layer.The hash value mentioned above should preferably be encrypted as well.Therefore, an eavesdropper listening to the communication over thepublic discussion layer (channel) does not receive information on bitparities. It should be noted that information on specific bit positionsis, to a high degree, erased in the shuffling step.

The outcome of the error correction procedure is buffered for privacyamplification. This buffering may be required to adjust different sizesof blocks in the error correction and privacy amplification steps.Privacy amplification is performed as multiplication of theerror-corrected string by a fixed random binary matrix M. The shufflingstep enables maintaining the matrix as fixed during QKD.

Quantum Key Generation at Alice

FIG. 2 [Alice-1], FIG. 3 [Alice-2], and FIG. 4 [Alice-3] are flowdiagrams of a quantum key generation process according to the presentinvention as performed by Alice's computer, located at the Alice node.Further “Alice's apparatus”, “Alice's computer” and “Bob's apparatus”and “Bob's computer” are referred to as “Alice” and “Bob,” respectively.

FIG. 2 [Alice-1] is a flow diagram illustrating a sifting stage as runon Alice's computer. In 8-1, Alice receives quantum layer key bits andbases from the RNG within Alice's apparatus. In 8-2, Alice receivesclick positions of single photon detectors at Bob's apparatus (CPB),bases for clicks (BCB), and message authentication code (MACB1) fromBob. In 8-3, Alice calculates her message authentication code (MACA1)and compares it to Bob's message authentication code (MACB1). In 8-4,MACB1 is compared to MACB2. If the values of MACB1 and MACA1 coincide(“yes”), Alice concludes that there was no attempt to tamper with data.If the values of MACB1 and MACA1 do not coincide (“no”), the programgenerates an attack alert at 8-5 and sends a warning to Bob at 8-6.

In the case that values of MACB1 and MACA1 coincide, in 8-7 Alice formsa correct basis positions string (CBPA) by checking bases forcoincidence and calculates a message authentication code for CBPA(MACA2). In 8-8, CBPA and MACA2 are then sent to Bob. Thereafter, in8-9, Alice picks bits that correspond to correct bases and discards therest of the bits.

FIG. 3 [Alice-2] is a flow diagram that continues from the flow diagramof FIG. 2, and contains buffering for sifting stage and shuffling amodified Cascade, as an example, a protocol part of the algorithm as runon Alice's computer. Following 8-9 of FIG. 2, buffering is completed in9-1. Then in 9-2, Alice performs cryptographically strong shufflingutilizing the pre-agreed part of the key. Then in 9-3, the shuffledstring hash (ha) is calculated and in 9-4 ha is sent to Bob.

For error correction, Alice uses the modified Cascade protocol withone-time pad parity bit encryption at 9-5. Within each run of 9-5, anNth pass of modified Cascade algorithm is communicated to Bob. Aftereach pass of the modified Cascade protocol of 9-5, Alice checks thestatus of coincided hash values sent from Bob. If at 9-6 a new hash (h)and the old hash (ha) at Bob's side do not coincide (“no”), a higherpass of the modified Cascade is run. The process is stopped whencoinciding hashes (“yes”) are achieved at 9-6. In 9-7, results of errorcorrection may also be buffered.

The parties might decide to exchange some authenticated informationabout their generated keys to ensure that there was no spoofing duringcommunication over the public channel.

FIG. 4 [Alice-3] is a flow diagram that continues from the flow diagramof FIG. 3 and that illustrates the generation of error-free key stage asrun on Alice's computer. In 10-1, privacy amplification is performed onthe corrected bit string by multiplication of the corrected bit streamby a fixed random binary matrix M. This procedure generates the securekey. In 10-2, the secure key is buffered synchronously to Bob's stationand in 10-3 the secure key is outputted.

Buffering is a good measure against denial of service (DOS) attack. Incase of DOS attack, the stations issue an alarm to the control center.For example, the stations can send a simple network management protocol(SNMP) trap. The stations can then start using buffered keys instead ofQKD-generated keys until the DOS is mitigated. The size of the buffershould be big enough to provide the time for technical personnel toaddress the DOS problem. It should be noted that standard implementationof quantum cryptography is not resistant to DOS attacks.

Quantum Key Generation Process at Bob

FIG. 5 [Bob-1], FIG. 6 [Bob-2], and FIG. 7 [Bob-3] are flow diagramsdiagram for a quantum key generation process as performed by Bob'scomputer. FIG. 5 [Bob-1] is a flow diagram that contains a sifting stageas run on Bob's computer. In 11-1, Bob receives quantum layer bases forclicks from RNG within Bob's apparatus (BCB) and click positions (CPB)from the single photon detector(s) through, for example, a 32 bitinput/output port. In 11-2, a string is formed for CPB and for BCB. In11-3, for these strings Bob calculates message authentication code(MACB1). In 11-4, Bob sends Alice BPB, BCB and MACB1. In turn, in 11-5Bob receives from Alice CBPA and MACA2. In 11-6, for the data received,message authentication code (MACB2) is once more calculated, and in 11-7MACB2 and MACA2 are compared. If MACB2 and MACA2 do not coincide (“no”),an attempt of tampering with data occurred during data transfer. In thiscase, the in 11-8 program generates an attack alert and in 11-9 sends awarning to Bob and Alice. If MACB2 and MACA2 do coincide (“yes”) at11-7, no attack happened during data transfer. In this case, in 11-10the program picks bits that correspond to correct bases and discards therest of the bits.

FIG. 6 [Bob-2] is a flow diagram that continues from the flow diagram ofFIG. 5 and that contains buffering for a sifting stage and shuffling,and a modified Cascade protocol part of the algorithm as run on Bob'scomputer.

In 12-1, the bits selected in 11-10 are buffered. After buffering iscompleted, then in 12-2 cryptographically strong shuffling utilizing thepre-agreed part of the key is performed. In 12-3, Bob receives hash fromAlice and saves it (ha) in 124. For error correction, in 12-5, Bob usesthe modified Cascade protocol with one-time pad parity bit encryption.Within each run of 12-5, an Nth pass of the modified Cascade algorithmcommunication with Bob takes place. Such data exchange assures paritybit encryption. After each pass of the modified Cascade protocol of12-5, a new hash (h) is calculated in 12-6, and compared to the previoushash (ha) in 12-7. If h and ha do not coincide (“no”), a higher pass ofthe modified Cascade is run in 12-5. The process is stopped whencoinciding hashes are achieved (“yes”) at 12-6. In this case Bob, in12-8 sends Alice a flag, which informs Alice that hash h and hash hacoincided. In 12-9, results of error correction are also buffered.

FIG. 7 [Bob-3] is a flow diagram that continues from the flow diagram ofFIG. 6 and contains a generation of error-free key stage as run on Bob'scomputer. In 13-1 (which follows buffering step 12-9), privacyamplification is performed on the corrected bit string by multiplicationof the corrected bit stream by a fixed random binary matrix M. Thisprocedure generates the secure key. The secure key from 13-1 is thenbuffered in 13-2 and a key is generated in 13-3.

Again, in case of a DOS attack, the stations issue an alarm to thecontrol center and follow the above-described procedure to ensurecontinued operation.

Key Expansion

It should be noted that, in an example embodiment of the presentinvention, an arbitrarily long key for one-time pad encryption isproduced, which increases the encrypted data bandwidth. Strictlyspeaking, one-time pad-like encryption with the expanded key is nolonger one-time pad encryption. However, all the operations a user hasto perform to encrypt the data are identical to the operations needed toimplement one-time pad encryption, so the term ‘one-time pad’ is usedherein.

As mentioned above, the secure key rate from a QKD system is usually toolow for commercially available data transmission lines if one-time padencryption is being used. At the same time, in many cases using aone-time pad is an excess security measure. Accordingly, the followingdescribes a QKD device that comprises a key expansion protocol inaddition to the standard protocols of QKD. This lets a user selectbetween two regimes of QKD operation: one-time pad and one-time expandedpad. In principle, a user can expand a key only at the users site.However such a solution is expensive and not necessarily safe, thusreducing the security level of the QKD system. The present techniqueallows users to choose between an expanded key regime and a one-time padregime. However, the key expansion itself is performed within the QKDapparatus.

Current implementations of QKD suffer from a low key rate that today ison the order of 1 kbit/sec. The key rate is defined by the clock rate ofthe QKD device, imperfections of light sources, finite efficiency ofdetectors, finite finesse of optical elements, and losses in the opticalfiber connecting the QKD stations. Though technological advances willlikely enable an increase in the rate of secure bits, this rate will belower than the bandwidth of commercially available communication lines.This prevents using QKD systems with one-time pad encryption on suchcommunication lines.

On the other hand, one-time pad is a natural encryption choice when aQKD is used. A one-time pad encures ultimate security, thus makingone-time pad encryption and QKD combination unbreakable. The drawback isthat using a one-time pad limits the data transmission bandwidth to thatof the key rate.

In many cases, one-time pad encryption is excessive and other classicalsymmetric key encryption techniques can be employed with a QKD system.These techniques would require additional hardware and/or software. Thepresent invention concerns a QKD system that does not providespecialized encryptors. Such systems can be used in one-time padencryption mode. The following describes a feature of a QKD system(“one-time pad/expanded pad switch”) that enables the system to be usedin either one-time pad or expanded pad regimes. The one-time padembodiment provides the ultimate security delivered by quantum keydistribution, while the expanded pad regimes solves the problem offinite data bandwidth in cases when one-time pad is not required.

A one-time pad/expanded pad switch can readily be added to a QKD system.In many cases, it can be realized by software means on existing QKDhardware. Preferably, both one-time pad and expanded pad regimes use thesame key distribution interface.

The QKD system can be seen as a perfect random number generatorproducing the same random bits at two remote locations. At the switchposition ‘one-time pad,’ the generated bits are sent via interface tothe user and for one-time pad encryption of a particular message.

At a switch position ‘expanded pad’ the random bits serve as a seed fora cryptographically strong pseudo random number generator that can beimplemented on QKD hardware to produce a pseudo random bit stream thatis long enough to encrypt a message and which, again, is sent via thesame interface, to the user and for one-time pad encryption of themessage.

The communicating parties switch the regimes synchronously. Forsynchronization, they can use any communication network in theirpossession. For example, the party—Alice or Bob—that requests keyexpansion, sets “Pad Expansion Flag”=1 for a pre-agreed bit, andexchanges this bit with another party within the accepted communicationprotocol between the two QKD stations. The synchronization protocol alsocan be implemented in a QKD device and can use the communication line ofQKD. The party transmitting the encrypted message informs the receivingparty of the encryption regime and, in case of expanded pad regime, thekey expansion ratio.

Example of Key (Pad) Expansion

Key expansion can be performed in a QKD device after the privacyamplification protocol, or it can be combined with privacy amplificationstep. FIG. 8 [Bob-31] is a flow diagram for the embodiment where keyexpansion is performed after privacy an amplification protocol,represented by 14-1. The privacy amplified key is buffered in 14-2. In14-3, the QKD system generates random bit blocks r=r1, r2, . . . , rN.The cryptographically strong pseudorandom number generator P stretchesthe bits blocks pi=P(ri), producing a pseudorandom bit stream p=p1,p2, .. . ,pN. For the pseudorandom number generator, one may use a type ofstream cipher, for example AES in CTR mode. The pseudorandom bit streamis used for one-time pad encryption in expanded pad mode. This operationis run on both QKD stations, i.e. at Bob and Alice. In 14-4, partiescheck the value of the exchanged “Pad ExpansiQn Flag” bit. It should benoted here that the term “Pad Expansion” is used to denote expanding thekey to form the (expanded) pad.

If “Pad Expansion Flag”=0, then the output is just a key as generatedduring the QKD process. Having buffered keys is mind, the key schedulewith AES in Counter (CTR) mode has a structure “ID_1 Key_1; ID_2 Key_2;ID_N Key_N” (see FIG. 9 a), where ID_I is a number assigned to each keyKey_I.

In 14-5, the expanded pad is outputted. If “Pad Expansion Flag”=1, thanthe output is expanded key. Than the key schedule with AES in CTR modehas a structure “ID_1 Key_1 Pad_1; ID_2 Key_(—)2 Pad_2; . . . :ID_NKey_N Pad N” (see FIG. 9 b), where ID_I is a number assigned to eachpair of Key_I and Pad_I. Pad_N is a bit stream generated by means ofAES-256 (Key_N) using AES in CTR mode. There is no correlation of ID_Nwith either Key_N or Pad_N. The key expansion ratio depends on theuser's data bandwidth and the key generation rate. Key data is neverreused. Although a key ID may be reused, its associated key data willalways be different.

Thus, in the present invention one-time pad encryption need not be usedto encrypt data whose bandwidth is higher than the key generation rate.In other words, if the data bandwidth B is higher than the keygeneration rate K, then we use K in combination with some classicalcryptographic methods. For example, K is split into n 256 bit blocks-k1,k2, . . . , kn (n=K/256) (in that way n is a number of 256 bit keys wecan generate per second) and keys kj are used with some classicalencryption method to encrypt data for time 1/n seconds

Similar implementation can be achieved for other cipher modes as well.For example, in CBC mode one would need to send the Key_ID only andthere is no need to send the offset. CBC mode provides a higher dataintegrity check. If, for example, the packets are being encrypted at OSIlevel 2, then the data forgery after decryption will usually be noticedby OSI level 3 protocols. In that way CBC mode provides much better dataintegrity check than CTR mode. To implement CBC mode encryption, a usermight need specialized hardware.

It is worth noting that AES in CTR (as well as many other block streamciphers) has a known flaw in that it is subject to data forgery orspoofing. Because of this, it is preferred that it be used with a dataauthenticity mechanism to ensure that the data has not been altered without authorization.

The same implementation can be used with other stream ciphers. It isworth noting that the stream ciphers, which provide messageauthentication, can prevent data forgery and spoofing.

Pad expansion can be performed by cryptographically strong pseudorandomgenerators (like block stream ciphers). The privacy amplification steputilizes is a QKD protocol that produces a perfectly secure bit streamfrom a partially secure bit stream. This is usually achieved by applyingsome universal hash function on the partially secure bits (e.g., Bennet,Brassard-Generalized PA). The hash function compresses the bit stream ina way so that eavesdropper has exponentially little information on thecompressed bits. To some extent, pad expansion ‘does the opposite.’Specifically, pad expansion stretches the bit stream so that more keybits are received at the output.

The expanded pad can be generated by modifying the privacy amplificationprocedure by adjusting the compression ratio. The latter reducescomputational complexity and, thus, computational resources of thehardware. As an example, one possible embodiment involves thecommunicating parties applying a cryptographically strong shufflingprocedure on partially secure bits without compression. The seed for theshuffling procedure can be exchanged between the parties over anyexisting communication network that the parties possess. The parties canagree on a one-time pad encryption for the shuffling seed. Starting atthis point, the parties can seed a cryptographically strong pseudorandom number generator with the shuffled bits.

In accordance with an example embodiment of the present invention, thereceiver of the single-bit transmission is aware of when the transmitteris going to transmit the encrypted data to the receiver. It should benoted that in one example the transmitter is transmitting the encrypteddata to the receiver, while in another example the receiver may insteadbe a transmitter, while the transmitter acts as a receiver.

User Data Encryption

In an example embodiment, the present invention is used perform dataencryption in the following as manner outlined below. At the encryptionstation (say, Bob), the station reads the user data packet anddetermines the packet data size in bytes. The encryption station thenchecks to see if the sum of the current offset and the packet data sizeis less than the Pad size in bytes. If not, the station jumps to thenext key ID and resets the offset to zero.

The encryption station then XORs the packet data with an appropriatepad, starting from current offset value. It adds the Key ID and offsetinformation in unencrypted format to the packet. The latter can be doneby encapsulating the packet into another packet, by adding an additionalheader, or by using some already existing field of the data packet. Theencryption station then increases the current offset by the size of theencrypted data packet and transmits the encrypted packet to thereceiver.

At the decrypting station (say, Alice), the packets are read and the KeyID and offset are extracted. The received data is then XORed with theappropriate pad starting from the received offset value. The receiverstation then restores all packet headers (if necessary), and passes thedata to the user.

1. A method for establishing a secure key between two stations, themethod comprising: a) exchanging single photon signals between twoquantum key distribution stations to form a plurality of raw keys ateach station; b) performing error correction and privacy amplificationon the raw keys to form a plurality of privacy amplified keys at eachstation; c) buffering the privacy amplified keys in each station to formmatching key schedules at each station; and d) forming at least oneexpanded key from a key selected from the matching key schedules,wherein the at least one expanded key is suitable for one-time padencryption of information to be exchanged between the two stations. 2.The method of claim 1, including: a) encrypting information using the atleast one expanded key as a one-time pad; and b) transmitting theencrypted information between the two stations.
 3. A method of sendingencrypted information between two stations, comprising: a) establishinga raw key between the two stations using quantum key distribution; b)establishing a privacy amplified key from the establish raw key; c)providing the option of encrypting data using a one-time pad based oneither the privacy amplified key as an unexpanded key, or an expandedversion of the privacy amplified key as an expanded key; and d) sendingencrypted information between the two stations using a one-time padbased on either the unexpanded key or the expanded key.
 4. The method ofclaim 3, including: a) expanding one or more of the privacy amplifiedkeys; and b) storing at each station the one or more expanded keys in akey schedule.
 5. The method of claim 3, including: a) storing at eachstation one or more unexpanded keys in a first key schedule; b) storingat each station one or more expanded keys in a second key schedule; andc) encrypting information using one-time pads based on keys from atleast one of the first and second key schedules when raw keys cannot beexchanged between the stations.